Manual Chapter :
Common Elements for IPsec security association tasks
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Common Elements for IPsec security association tasks
Before starting this task, determine the
source and destination IP addresses for the BIG-IP systems in your
network that will direct the application traffic.
You create a manual security association
to specify the security attributes for a given IPsec communication session. These
attributes include the specific source and destination IP addresses of the communicating
devices, the authentication algorithm, and the encryption algorithm that the IPsec
protocol should use.
You must perform this task on both BIG-IP
systems.
- On the Main tab, click.
- Click theCreatebutton.The New Security Association screen opens.
- In theNamefield, type a unique name for the security association.
- In theDescriptionfield, type a brief description of the security setting.
- In theSPIfield, type a unique number for the security parameter index.This number must be an integer between 256 and 4294967296.
- From theIPsec Protocollist, select a protocol.You can selectAH,Bundle, orESP.
- In theSource Addressfield, type the source IP address.This IP address must match the IP address specified for theTunnel Local Addressin the selected IPsec policy.
- In theDestination Addressfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.This IP address must match the IP address specified for theTunnel Remote Addressin the selected IPsec policy.
- From theAuthentication Algorithmlist, select an algorithm.You can selectHMAC MD5orHMAC SHA-1.
- From theEncryption Algorithmlist, select the algorithm appropriate to your deployment.
- In theAuthentication Keyfield, type a key value.This value can by any double-quoted character string up to a maximum of 128 characters
- In theEncryption Keyfield, type a key value.This value can by any double-quoted character string up to a maximum of 128 characters
- For theIPsec Policy Namesetting, retain the default selection,default_ipsec_policy.
- From theIPsec Policy Namelist, select an IPsec policy.
- For the outbound security association, select the IPsec policy you created for outbound traffic.
- For the inbound security association, select the IPsec policy you created for inbound traffic.
- For theIPsec Policy Namesetting, select the IPsec policy you previously created for inbound traffic.
- For theIPsec Policy Namesetting, select the IPsec policy you previously created for outbound traffic.
- ClickFinished.The screen refreshes and displays the new IPsec security association in the list.
- Repeat this task on the BIG-IP system in the remote location.
- Repeat this task for security associations that handle outbound and inbound traffic on both the local and remote BIG-IP systems.
You now have an IPsec security association that
you have assigned to an IPsec policy.